Jump to content

Trojan.Agent.TSK DIALERSTAGER


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello!

All anti-virus websites are disabled, windows update doesn't work either.

When accessing each antivirus website, it says:

The web page at https://www.malwarebytes.com/mwb-download/thankyou?aid=37335 appears to be broken or permanently moved to a new web address.

*ERR_ADDRESS_INVALID*

I am attaching the files + a file that shows what windows defender writes as troyan source, but I can't remove them!

Thanks in advance!

Windows_Defender.jpg

Addition.txt FRST.txt scan.txt

Link to post
Share on other sites

Hello. On the report from Malwarebytes, Did you notice the notation 

Nincs felhasználói művelet

??  That means that very likely you did not "TICK" each line so that it would be selected for removal.

 Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

Link to post
Share on other sites

You do not need to re-post the FRST set. 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites

  • Solution

There is a multi-pronged & very persistent trojan infection here. One of the next things we need to do. Use Windows File Explorer to go to the Downloads folder. Find FRST64.exe

With your right-mouse pointer, do a RIGHT Click on FRST64.exe and RENAME it

GAZORK.exe

This is in hopes of preventing a false block of this tool.

>

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

>

This custom script is for  KRISZTIANN2010  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use GAZORK  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on GAZORK   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

  1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. We will do more tasks after this. This is not a cure-all.
  • Like 1
Link to post
Share on other sites

Windows Resource Protection found corrupt files and successfully repaired them.. And, the custom run is very good. I expect the elements of the trojan are gone. HOWEVER we need to run additional checks / scans.

[   Do a FULL scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select FULL scan .

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Link to post
Share on other sites

These next steps can be referred to as a repair-install in place.
If this machine is a laptop or notebook, be sure it is connected to power thru a regular power cord to regular electric power.
( that is to say, not be on battery power).

1. Back up your personal data and files to an external hard drive, USB thumb drive.
2. Restart Windows.
3. Ensure you are signed in or have administrator rights to do a repair install
4. Unplug all external peripherals except for the Mouse, Keyboard, and LAN cable before starting. { unplug printers, copyers, fax machines, if any)

Download the media creation tool MCT    (Click Download tool now) and save it to your computer.
https://www.microsoft.com/en-us/software-download/windows10
or from https://go.microsoft.com/fwlink/?LinkId=691209

After it is completely saved.
Start the tool and select "Upgrade this PC now."

Make sure to select " Keep personal files and apps. "

It will take some time to run & complete. Your computer will restart a few times, Make sure you don’t turn off your PC
If you see a dark screen at times, do not fret.  Just simply move the mouse pointer around the screen or press the space bar to trigger a screen display refresh.
 

Link to post
Share on other sites

  • AdvancedSetup changed the title to Trojan.Agent.TSK DIALERSTAGER

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply
  • If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point as to any new "block" notices, or some other active security issue.
Also, please do one new Scan with Malwarebytes.

Thank you!

I would recommend getting a report on the update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Please attach  mbst-grab-results.zip    to your reply ,
Link to post
Share on other sites

Hello. Thank you for the report. 

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

See Support article how-to for Firefox
https://support.malwarebytes.com/hc/en-us/articles/4413298841747--Install-Malwarebytes-Browser-Guard-on-Firefox-browser

For the EDGE browser https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser

Note: If your pc also has Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).
 

Link to post
Share on other sites

We can proceed with cleanup of tools we used.

To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop.
Any other download file I had you download, you may delete.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe. You are very welcome. I am glad to have worked with you.
Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.